COMMENT: All Secure
SOA What?By Mary Ann Davidson
Even with service-oriented architecture, consider the source.
As long as I have worked in the IT industry, the holy grail has been reusable code. In fact, IT industry history is littered with acronyms that promised reusable code but didn't deliver it.
It makes sense—especially for security—to use a well-vetted module for a common function instead of having all developers "roll their own." For example, for many years, Oracle has had its developers use standard cryptographic modules. Integration and maintenance costs are lower, too, if you have modular services that other components can use instead of duplicative, deeply embedded code. You can develop new applications faster if the basic building blocks—especially security ones such as identity and access management—are just there and accessible. Last, much of IT is now affected by regulations requiring you to show that security controls are implemented properly. This is much easier if security is enforced in a few correct (and auditable) places instead of deep in your multimillion-lines-of-code base.
The latest industry go-round at reusable code is service-oriented architecture (SOA). Unlike earlier code reuse flops, SOA is succeeding, for several reasons. For one, the industry has enough "standards glue" to make SOA work. In fact, Oracle has been a leader in the creation of Web security standards such as SAML, XACML, WSS, WS-SX, and the Identity Governance Framework. Integrated, standards-based identity and access management offerings such as Oracle Identity and Access Management give developers a healthy toolbox of choices. And the Webifying of legacy applications and the emergence of Web 2.0 have created a compelling market need.
Oracle believes that most developers should be writing "secure code," not "security code." Accordingly, developers can use libraries such as Oracle Security Developer Tools or, better still, leverage SOA and Web services security through Oracle Web Services Manager to attach security policies to Web services or SOA composites. With Oracle Web Services Manager, security is not "siloed" into each application but, rather, centralized in a single point of administration.
As a security kahuna, I offer several cautionary notes about SOA. One is that if you incorporate modular logic into your application and it's a critical component, you need to acquire that component from an entity you trust. You wouldn't buy a home alarm system from just anyone you met on the street. Similarly, you wouldn't download a critical component on the fly from JustAnywhere.com. It's never about "assertions"; it's about where you get code and knowing what the code does.
A second caution is to remember information security Rule No. 1: "Don't trust any information from the client." (Rule No. 2 is "See Rule No. 1.") What does this mean in terms of SOA? Simply that, to the extent that developers put more "rich code" on the client, they create security problems if that information is not validated by the server before it is "accepted." No protocol, security framework, or standard will ever replace proper server-side validation, because anyone can hand the server something it expects that appears valid. You might be able to trust a server within your control, but you absolutely cannot trust 9 million clients outside your control.
A new book by Gary McGraw, Exploiting Online Games , describes how online games are massively distributed systems with rich clients (just like SOA). If a fearless gamer can "trick" the server into believing "Fearless Gamer killed three trolls and earned a magic sword," he will do so, especially if he can sell the virtual sword for real money —and he can. Developers focused on the "rich client" experience must remember that they cannot believe anything the client hands the server unless they separately validate it . I can tell the guard at a bank that I am the queen of England, but the bank won't let me access Her Majesty's bank account unless I prove it.
Oracle SOA Suite is a wonderful place to find a development framework—including SOA and Web services security—that also integrates well with Oracle's identity and access management products to provide end-to-end security from clients (browsers or applications) to portals to networks of Web services. You can build cleaner, more-secure applications faster. But do not forget the maxim about nuclear disarmament that's even more applicable to massively distributed applications: "Trust but verify."
Mary Ann Davidson is the chief security officer at Oracle, responsible for secure development practices, security evaluations, and assessments. She represents Oracle on the board of directors of the Information Technology Information Security Analysis Center and the U.S. Defense Science Board and is on the editorial review board of SC Magazine.